njrat | f2ed2d3f31a52a07eea95932c6cd97cbf6a5c527622f51a139efe941243bc34d | Triage

Sharing

General

Target

f2ed2d3f31a52a07eea95932c6cd97cbf6a5c527622f51a139efe941243bc34dN.exe
Size

113KB
Sample

241129-bg88maxmbw
MD5

5f802eb02cdba2f6bca9258d93171520
SHA1

392735ffdc077020d45682e928bfb351214c2f66
SHA256

f2ed2d3f31a52a07eea95932c6cd97cbf6a5c527622f51a139efe941243bc34d
SHA512

0ddb99572ecbedffbf74ed6b9ea8c85b33113b5b16ef0f5d14dcbca67f14ae0b363c85086d5c4041225f6b337ac6dc43fff3464a021396bac1d259be50c9532e
SSDEEP

1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73vrn:w5eznsjsguGDFqGx8egoxmO3rvj

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Targets

- Target
  
  f2ed2d3f31a52a07eea95932c6cd97cbf6a5c527622f51a139efe941243bc34dN.exe
- Size
  
  113KB
- MD5
  
  5f802eb02cdba2f6bca9258d93171520
- SHA1
  
  392735ffdc077020d45682e928bfb351214c2f66
- SHA256
  
  f2ed2d3f31a52a07eea95932c6cd97cbf6a5c527622f51a139efe941243bc34d
- SHA512
  
  0ddb99572ecbedffbf74ed6b9ea8c85b33113b5b16ef0f5d14dcbca67f14ae0b363c85086d5c4041225f6b337ac6dc43fff3464a021396bac1d259be50c9532e
- SSDEEP
  
  1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73vrn:w5eznsjsguGDFqGx8egoxmO3rvj
Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratneufdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratneufdiscoveryevasionpersistenceprivilege_escalationtrojan